Privacy protections in Act apply to all electronic communications stored in the US, court rules

A law which gives US citizens certain rights to privacy over their electronic communications also gives protection to non-US citizens if their data is stored on US servers, a US court has ruled.06 Oct 2011

The US Court of Appeals rejected an argument from Korean firm Suzlon Energy that protections under the US' Electronic Communications Privacy Act (ECPA) only apply to US citizens. Suzlon had argued that software giant Microsoft should be forced to disclose email documents belonging to Indian citizen Rajagopalan Sridhar to use as part of a civil fraud case against Sridhar in Australia.

Microsoft said it should not have to provide Sridhar's email files because Sridhar was "entitled to the protection" of the ECPA.

Under the ECPA "a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service".

The Act also states that people could be entitled to damages and other relief from those who "intercepted, disclosed, or intentionally used" their "wire, oral or electronic communication" unlawfully.

The Court of Appeals backed a previous ruling by a US district court by ruling that the protection of the ECPA applied to non-citizens as well as US citizens because of how it was written.

"The Court affirms the district court’s finding that the plain text of the ECPA applies its terms to 'any person,' without qualification," the Court said in its ruling. (11-page / 52KB PDF)

"Any person means any person, including foreign citizens," it said.

The ECPA includes a number of exceptions in which individuals' protection rights do not apply. The Court said that because none of the exceptions contained restrictions on citizenship the protection rights within the EPCA should not just apply to US citizens.

"By limiting the ECPA only to those people entitled to Fourth Amendment protection, as urged by Suzlon, an email service provider would need to assess whether a particular account holder was at all times a US citizen, or later became a citizen, or was a resident alien with some Fourth Amendment protection, or if there were other reasons to provide Fourth Amendment rights," the ruling said.

"This would be a costly, fact-intensive, and difficult determination. But under Microsoft’s interpretation of 'any person,' it’s clear that the ECPA at least applies whenever the requested documents are stored in the United States. The Court does not address here whether the ECPA applies to documents stored or acts occurring outside of the United States," it said.

The Fourth Amendment to the US Constitution guarantees that "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

"This case involved the disclosure of emails stored in the US. The court in this instance did not address whether the EPCA offers protection only to information that is stored in the US. A previous Ninth Circuit ruling held that the ECPA did not cover email interceptions outside of the US," Claire McCracken, a privacy law expert at Pinsent Masons, the law firm behind Out-Law.com, said.

"This raises an interesting question as to whether location of the server where the documents are stored is a workable basis to determine whether statutory protection should be lost," McCracken said.